b'Department of Health and Human Services\n                   OFFICE OF\n              INSPECTOR GENERAL\n\n\nOBSERVATIONS NOTED DURING THE\n    OIG REVIEW OF CMS\xe2\x80\x99S\nIMPLEMENTATION OF THE HEALTH\n INSURANCE EXCHANGE\xe2\x80\x94DATA\n        SERVICES HUB\n\n\n\n\n  Inquiries about this report may be addressed to the Office of Public Affairs at\n                           Public.Affairs@oig.hhs.gov.\n\n\n\n\n                                                   Gloria L. Jarmon\n                                                Deputy Inspector General\n\n                                                       August 2013\n                                                      A-18-13-30070\n\x0c                        Office of Inspector General\n                                         https://oig.hhs.gov\n\n\n\nThe mission of the Office of Inspector General (OIG), as mandated by Public Law 95-452, as amended, is\nto protect the integrity of the Department of Health and Human Services (HHS) programs, as well as the\nhealth and welfare of beneficiaries served by those programs. This statutory mission is carried out\nthrough a nationwide network of audits, investigations, and inspections conducted by the following\noperating components:\n\nOffice of Audit Services\n\nThe Office of Audit Services (OAS) provides auditing services for HHS, either by conducting audits with\nits own audit resources or by overseeing audit work done by others. Audits examine the performance of\nHHS programs and/or its grantees and contractors in carrying out their respective responsibilities and are\nintended to provide independent assessments of HHS programs and operations. These assessments help\nreduce waste, abuse, and mismanagement and promote economy and efficiency throughout HHS.\n\nOffice of Evaluation and Inspections\nThe Office of Evaluation and Inspections (OEI) conducts national evaluations to provide HHS, Congress,\nand the public with timely, useful, and reliable information on significant issues. These evaluations focus\non preventing fraud, waste, or abuse and promoting economy, efficiency, and effectiveness of\ndepartmental programs. To promote impact, OEI reports also present practical recommendations for\nimproving program operations.\n\nOffice of Investigations\nThe Office of Investigations (OI) conducts criminal, civil, and administrative investigations of fraud and\nmisconduct related to HHS programs, operations, and beneficiaries. With investigators working in all 50\nStates and the District of Columbia, OI utilizes its resources by actively coordinating with the Department\nof Justice and other Federal, State, and local law enforcement authorities. The investigative efforts of OI\noften lead to criminal convictions, administrative sanctions, and/or civil monetary penalties.\n\nOffice of Counsel to the Inspector General\nThe Office of Counsel to the Inspector General (OCIG) provides general legal services to OIG, rendering\nadvice and opinions on HHS programs and operations and providing all legal support for OIG\xe2\x80\x99s internal\noperations. OCIG represents OIG in all civil and administrative fraud and abuse cases involving HHS\nprograms, including False Claims Act, program exclusion, and civil monetary penalty cases. In\nconnection with these cases, OCIG also negotiates and monitors corporate integrity agreements. OCIG\nrenders advisory opinions, issues compliance program guidance, publishes fraud alerts, and provides\nother guidance to the health care industry concerning the anti-kickback statute and other OIG enforcement\nauthorities.\n\x0cAugust 2, 2013\n\nTO:            Marilyn Tavenner\n               Administrator\n               Centers for Medicare & Medicaid Services\n\n               Tony Trenkle\n               Chief Information Officer\n               Centers for Medicare & Medicaid Services\n\n\nFROM:          /Gloria L. Jarmon/\n               Deputy Inspector General for Audit Services\n\n\nSUBJECT:       Memorandum Report: Observations Noted During the OIG Review of CMS\xe2\x80\x99s\n               Implementation of the Health Insurance Exchange\xe2\x80\x94Data Services Hub\n               (A-18-13-30070)\n\n\nThis memorandum report provides the results of our review of the Centers for Medicare\n& Medicaid Services\xe2\x80\x99 (CMS) implementation of the Data Services Hub (Hub) from a security\nperspective. To determine the status of the implementation of the Hub, we assessed the\ninformation technology (IT) security controls that CMS is implementing for the Hub, adequacy\nof the testing activities being performed during its development, and the coordination between\nCMS and Federal and State agencies during the development of the Hub. A memorandum report\nis the best vehicle to communicate the results of our performance audit work when observations,\nnot recommendations, are the key elements of our results.\n\nSUMMARY\n\nCMS is addressing and testing security controls of the Hub during the development process.\nHowever, several critical tasks remain to be completed in a short period of time, such as the final\nindependent testing of the Hub\xe2\x80\x99s security controls, remediating security vulnerabilities identified\nduring testing, and obtaining the security authorization decision for the Hub before opening the\nexchanges. CMS\xe2\x80\x99s current schedule is to complete all of its tasks by October 1, 2013, in time for\nthe expected initial open enrollment period.\n\x0cPage 2 \xe2\x80\x93 Marilyn Tavenner, Tony Trenkle\n\n\nBACKGROUND\n\nStates must establish health insurance exchanges by January 1, 2014, 1 and all health insurance\nexchanges must provide an initial open enrollment period beginning October 1, 2013\n(45 CFR \xc2\xa7 155.410). Health insurance exchanges are State-based competitive marketplaces\nwhere individuals and small businesses will be able to purchase private health insurance.\nExchanges will serve as a one-stop shop where individuals will get information about their health\ninsurance options, be assessed for eligibility (for, among other things, qualified health plans,\npremium tax credits, and cost sharing reductions), and enroll in the health plan of their choice. A\nState may elect to operate its own State-based exchange or partner with the Federal Government\nto operate a State partnership exchange. If a State elects not to operate an exchange, the\nDepartment of Health and Human Services will operate a Federally Facilitated Exchange. 2 For\nthe purposes of this report, \xe2\x80\x9cexchanges\xe2\x80\x9d refers to all three types of health insurance exchanges.\n\nThe Hub is intended to support the exchanges by providing a single point where exchanges may\naccess data from different sources, primarily Federal agencies. It is important to note that the\nHub does not store data. Rather it acts as a conduit for exchanges to access the data from where\nthey are originally stored. The functions of the Hub will include facilitating the access of data by\nexchanges; enabling verification of coverage eligibility; providing a central point for the Internal\nRevenue Service (IRS) when it asks for coverage information; providing data for oversight of the\nexchanges; providing data for paying insurers; and providing data for use in Web portals for\nconsumers.\n\nEffective security controls are necessary to protect the confidentiality, integrity, and\navailability of a system and its information. The National Institute of Standards and\nTechnology (NIST) developed information security standards and guidelines, including\nminimum requirements for Federal information systems. CMS is required to follow the NIST\nsecurity standards and guidelines in securing the Hub. 3\n\nOBJECTIVE, SCOPE, AND METHODOLOGY\n\nOur primary audit objective was to determine CMS\xe2\x80\x99s current progress in implementing security\nrequirements for the Hub. We evaluated the adequacy of the development and testing of the Hub\nfrom a security perspective. We did not review the functionality of the Hub.\n\n\n\n\n1\n The Patient Protection and Affordable Care Act \xc2\xa7 1311(b) (P.L. No. 111-148) and the Health Care Reconciliation\nAct of 2010 (P.L. No. 111-152), collectively known as the Affordable Care Act (ACA).\n2\n  The Center for Consumer Information and Insurance Oversight Web site has further information on the health\ninsurance exchanges: http://www.cms.gov/CCIIO/Programs-and-Initiatives/Health-Insurance-Marketplaces.\nAccessed on July 9, 2013.\n3\n NIST\xe2\x80\x99s security standards assist Federal agencies in implementing the requirements under the Federal Information\nSecurity Management Act of 2002, 44 U.S.C. \xc2\xa7\xc2\xa7 3541, et seq.\n\x0cPage 3 \xe2\x80\x93 Marilyn Tavenner, Tony Trenkle\n\n\nTo accomplish our objectives, we:\n\n   \xe2\x80\xa2   reviewed documentation, System Development Life Cycle artifacts, and CMS project\n       schedules and timelines (including milestones established by CMS) as of March and\n       May 2013 (the dates of CMS\xe2\x80\x99s two project schedules) to track the activities that need to\n       be completed before the implementation of the Hub;\n   \xe2\x80\xa2   interviewed CMS employees and contractors;\n   \xe2\x80\xa2   interviewed personnel from key Federal agencies working with CMS during the\n       development of the Hub; and\n   \xe2\x80\xa2   reviewed CMS\xe2\x80\x99s security testing results.\n\nWe performed our fieldwork substantially from March through May 2013.\n\nWe conducted this performance audit in accordance with generally accepted government\nauditing standards. Those standards require that we plan and perform the audit to obtain\nsufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions\nbased on our audit objectives. We believe that the evidence obtained provides a reasonable basis\nfor our findings and conclusions based on our audit objectives.\n\nRESULTS\n\nAt the time of our review, CMS and its contractors were continuing to develop the Hub and work\nwith its Federal and State partners in testing the Hub to ensure its readiness in time for the initial\nopen enrollment to begin on October 1, 2013. We made the following observations on security\ncontrols, security testing, and coordination at the time of our fieldwork.\n\nAssessment of Security Controls\n\nAccording to NIST security standards, every Federal information system must obtain a security\nauthorization before the system goes into production. The security authorization is obtained\nfrom a senior management official or executive with the authority to formally assume\nresponsibility for operating an information system at an acceptable level of risk to agency\noperations.\n\nThe security authorization package must include a system security plan (SSP), information\nsecurity risk assessment (RA), and security control assessment (SCA) report. The security\nauthorization package provides important information about risks of the information system,\nsecurity controls necessary to mitigate those risks, and results of security control testing to\nensure that the risks have been properly mitigated. Therefore, these documents must be\ncompleted before the security authorization decision can be made by the authorizing official.\nThe authorizing official may grant the security authorization with the knowledge that there are\nstill risks that have not been fully addressed at the time of the authorization.\n\x0cPage 4 \xe2\x80\x93 Marilyn Tavenner, Tony Trenkle\n\n\nCMS incorporated the elements required for adequate security into the draft Hub SSP. The SSP\nprovides an overview of the security requirements of the system and describes the controls in\nplace or planned (e.g., access controls, identification and authentication) for meeting those\nrequirements and delineates the responsibilities and behavior expected of all individuals who\naccess the system. The information security Hub RA was being drafted during our fieldwork.\nThe RA should identify risks to the operations (including mission, functions, image, or\nreputation), agency assets, and individuals by determining the probability of occurrence, the\nresulting impact, and additional security controls that would mitigate this impact. However, the\nCMS contractor did not expect to provide finalized security documents, including the SSP and\nRA, to CMS for its review until July 15, 2013. The original dates listed in CMS\xe2\x80\x99s March and\nMay 2013 schedules for the contractor to submit the final security documents were May 6, 2013,\nand July 1, 2013, respectively. Because the documents were still drafts, we could not assess\nCMS\xe2\x80\x99s efforts to identify security controls and system risks for the Hub and implement\nsafeguards and controls to mitigate identified risks.\n\nAccording to CMS\xe2\x80\x99s current timeline, the security authorization decision by the authorizing\nofficial, the CMS Chief Information Officer (CIO), is expected on September 30, 2013; the\nMarch 2013 schedule reported the date as September 4, 2013. If there are additional delays in\ncompleting the security authorization package, the CMS CIO may not have a full assessment of\nsystem risks and security controls needed for the security authorization decision by the initial\nopening enrollment period expected to begin on October 1, 2013.\n\nAdequacy of Security Testing\n\nCMS and its contractors are performing security testing throughout the Hub\xe2\x80\x99s development,\nincluding vulnerability assessments of Hub services. CMS is logging and tracking defects and\nvulnerabilities throughout the development process and correcting and retesting Hub services to\nensure that vulnerabilities are remediated.\n\nAn SCA of the Hub must be performed by an independent testing organization before the\nsecurity authorization is granted. 4 The SCA determines the extent to which the controls are\nimplemented correctly, operating as intended, and producing the desired outcome of meeting the\nsecurity requirements for the information system. The goal of the SCA test plan is to explain\nclearly the information the testing organization expects to obtain prior to the SCA, the areas that\nwill be examined, and the proposed scheduled activities expected to be performed during the\nSCA. According to CMS\xe2\x80\x99s March 2013 schedule, the SCA test plan was scheduled to be\nprovided to CMS for its review on May 13, 2013, and the SCA was scheduled to be performed\nbetween June 3 and 7, 2013. However, in the May 2013 schedule, the SCA test plan due date\nwas moved to July 15, 2013, and the SCA is now scheduled to be performed between\nAugust 5 and 16, 2013. CMS stated that the SCA was moved so that performance stress testing\nof the Hub could be finished before the SCA and any vulnerabilities identified during the stress\n\n\n4\n NIST Special Publication 800-37, Guide for Applying the Risk Management Framework to Federal Information\nSystems, Revision 1.\n\x0cPage 5 \xe2\x80\x93 Marilyn Tavenner, Tony Trenkle\n\n\ntesting could be remediated. Otherwise, CMS might need to perform an additional SCA after the\nremediation was complete.\n\nCMS has 3 weeks between the receipt of the SCA test plan and the start of the SCA for CMS to\nmake changes to the plan and for the independent testing organization to adjust the plan. CMS\nmust ensure that all devices in the Hub environment, including all firewalls and servers, are\nanalyzed during the SCA. In addition, the draft report with the results of the SCA is not due\nfrom the contractor performing the SCA until September 9, 2013, and the final report is not due\nuntil September 20, 2013. We could not assess planned testing or whether vulnerabilities\nidentified by the testing would be mitigated because the SCA test plan had not been provided and\nthe SCA had not been completed at the time of our review. If there are additional delays in\ncompleting the SCA test plan and performing the SCA, the authorizing official may not have the\nfull assessment of implemented security controls needed for the security authorization decision\nby the initial opening enrollment period expected to begin on October 1, 2013.\n\nSee the table for a summary of the key security dates.\n\n                                Table: Key Hub Security Due Dates\n                                                Date Due (per                 Date Due (per\n         Security Document                   March 2013 schedule)           May 2013 schedule)\n         Final SSP and RA                        May 6, 2013                    July 1, 2013*\n         SCA Test Plan                            May 13, 2013                  July 15, 2013\n         SCA                                      June 3-7, 2013             August 5-16, 2013\n         Draft SCA Report                         June 28, 2013              September 9, 2013\n         Final SCA Report                          July 15, 2013             September 20, 2013\n         Security Authorization\n                                               September 4, 2013             September 30, 2013\n         Decision\n        * On July 1, 2013, CMS stated that the new date for the SSP and RA is July 15, 2013.\n\nCoordination Among CMS and Its Federal and State Partners\n\nCMS is coordinating with its Federal and State partners during the development and testing of\nthe Hub, in part to ensure that security measures are implemented by all stakeholders. The\nFederal partners are the IRS, Social Security Administration (SSA), Department of Homeland\nSecurity (DHS), Veterans Health Administration (VHA), Department of Defense (DOD), Office\nof Personnel Management (OPM), and Peace Corps.\n\nCMS developed a testing approach for interagency testing and has developed test plans. CMS is\nin the process of executing its test plans, which include testing for secure communications\nbetween CMS and its Federal and State partners and performance stress testing of the Hub.\n\x0cPage 6 \xe2\x80\x93 Marilyn Tavenner, Tony Trenkle\n\n\nCMS also developed security-related documents related to the Hub and the exchanges. CMS\ndeveloped Interface Control Documents (ICD) with all of its Federal partners. The ICDs should\nbe established during the development of new systems. The ICDs provide a common, standard\ntechnical specification for transferring ACA-related information between CMS (the Hub) and its\nFederal partners. The ICDs establish standard rules, requirements, and policies (including\nsecurity-related policies) with which the development and implementation of the interfaces\nbetween CMS and its Federal partner must comply. CMS and its Federal partners collaborated\nin the development of the ICDs and signed the ICDs in May 2013.\n\nFederal policy requires agencies to develop Interconnection Security Agreements (ISA) for\nFederal information systems and networks that share or exchange information with external\ninformation systems and networks. Specifically, Office of Management and Budget Circular\nA-130, Appendix III, requires agencies to obtain written management authorization before\nconnecting their IT systems to other systems. The written authorization should define the rules\nof behavior and controls that must be maintained for the system interconnection. The Master\nISA describes the systems\xe2\x80\x99 environment, network architecture, and the overall approach for\nsafeguarding the confidentiality, integrity, and availability of shared data and system interfaces.\nIn addition, the Master ISA contains information on CMS information security policy and the\nroles and responsibilities pertaining to the maintenance of the security of ACA systems.\n\nCMS completed a preliminary review of the Master ISA between CMS and the developer of the\nHub on April 2, 2013, and the Associate ISAs on May 15, 2013. Each of the Federal partners\nwill provide similar information pertaining to the partner agency in the Associate ISAs and\nsigned by the Federal partner authorized official. The final review of the ISAs for all Federal\npartners is scheduled to be completed by September 3, 2013 and the CMS CIO is scheduled to\ngrant the authority to connect to the Hub by September 30, 2013. In addition, CMS has\ndeveloped a non-Federal ISA for third parties and the States.\n\nA service level agreement (SLA) is a negotiated agreement between a service provider and the\ncustomer that defines services, priorities, responsibilities, guarantees, and warranties by\nspecifying levels of availability, serviceability, performance, operation, or other service\nattributes. A SLA is needed between CMS and each of its Federal partners to establish agreed-\nupon services and availability, including response time and days and hours of availability of the\nHub and the Federal partner\xe2\x80\x99s ACA systems. According to CMS\xe2\x80\x99s project schedule, the SLA\nwith IRS was completed on March 15, 2013; the SLA with DHS is expected to be signed by\nJuly 26, 2013; and the SLA with SSA is expected to be signed by September 27, 2013. The\nSLAs with the remaining Federal partners (VHA, DOD, OPM, Peace Corps) are expected to be\nsigned by September 20, 2013. The SLAs should be approved by all parties before October 1,\n2013.\n\nSUMMARY OF OBSERVATIONS\n\nThis memorandum report informs stakeholders of the status of steps CMS is taking to ensure that\nthere are adequate security measures for the Hub. CMS is working with very tight deadlines to\nensure that security measures for the Hub are assessed, tested, and implemented by the expected\n\x0cPage 7 \xe2\x80\x93 Marilyn Tavenner, Tony Trenkle\n\n\ninitial open enrollment date of October 1, 2013. If there are additional delays in completing the\nsecurity assessment and testing, the CMS CIO may have limited information on the security risks\nand controls when granting the security authorization of the Hub.\n\nCENTERS FOR MEDICARE & MEDICAID SERVICES COMMENTS\n\nIn its comments on our draft report, CMS stated that it is confident that the Hub will be\noperationally secure and it will have a security authorization before October 1, 2013. CMS also\nprovided technical comments, which we addressed as appropriate. We have included CMS\xe2\x80\x99s\ncomments in the Appendix.\n\x0c  APPENDIX: CENTERS FOR MEDICARE & MEDICAID SERVICES COMMENTS\n\n\n\n\nOffice of Inspector General Note\xe2\x80\x94Technical comments in the auditee\xe2\x80\x99s response to the draft\nhave been omitted from the final report and all appropriate changes have been made.\n\x0c'